I'm developing a WCF service (NetTcpBinding) and it works just fine without security. We bought a certificate from DigiCert and installed it on the server and configured with DigicertUtil.exe. Also installed on the test client machines.
Turning on the security I'm able to connect to it from my dev PC without problems.
Server config:
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
binding.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;
ServerHost.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
Properties.Settings.Default.CertificateName);
Client config:
<binding name="EndPointTCP" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="1610612736"
maxReceivedMessageSize="1610612736">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="false" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/>
</security>
</binding>
<behaviors>
<endpointBehaviors>
<behavior name="behavior_ServerService">
<clientCredentials>
<clientCertificate findValue="*.domain.com"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="net.tcp://clients.domain.com:10001/Server/ServerService"
binding="netTcpBinding" bindingConfiguration="EndPointTCP" contract="ServerServiceReference.IServerWS"
name="EndPointTCP" behaviorConfiguration="behavior_ServerService">
<identity>
<dns value="*.domain.com" />
</identity>
</endpoint>
</client>
(I modified the domain and service name to keep privacy of the customer.)
Trying it from any other computers I receive the following error on clients:
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9840000'.
An existing connection was forcibly closed by the remote host
The trace log on the server says:
The remote certificate is invalid according to the validation procedure.
Which is very strange because I use the same certificate on both the sever and the client... (and not to mention the dev pc from which it's working well...)
The error message is the same even if I set
ServerHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
on the server and
ServiceClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
on the client.
Could anybody tell me how to do it correctly? Of course I do not want to use workarounds like validation callback returning always true or the above non-validated mode.
Any help would be appreciated. Only this 'little' problem should be solved to be able to release... :(
Thanks a lot in advance!
Hudgi
Remote certificates—These remote certificates are public certificates without private keys. They can be deleted, imported, and downloaded, and their details can be viewed in the same way as local certificates.
Click the padlock icon in the address bar for the website. Click on Certificate (Valid) in the pop-up. Check the Valid from dates to validate the SSL certificate is current.
The invalid or incomplete certificate chain error happens when the browser is not able to establish a valid chain of trust between the certificates of your browser and the list of trusted root certificates. Every browser maintains a set of trusted root certificates.
It sounds like you are trying to use the same certificate as both a server and client certificate and that your clients do not have the same hostname that the certificate was issued to. Even if you set X509CertificateValidationMode.None, the hostnames must match. If your development machine was the same as the server it would most certainly succeed.
Are you intentionally trying to make clients authenticate to the server over SSL, or are you just trying to establish trust from your clients with the certificate authority?
I also suspect your certificate may not really be a wildcard certificate, if thats the case you are out of luck with using that cert for client authentication.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With